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5 FAH-2 H-860 
ANTIVIRUS PROGRAM 

(CT:TEL-37; 08-30-2013) 
(Office of Origin: IRM/OPS/ITI/S) 

5 FAH-2 H-861 POLICY 

(CT:TEL-37; 08-30-2013) 

a. In accordance with 12 FAM 600, all Department information systems must be 
protected with approved virus detection and prevention programs. 
IRM/OPS/ITI/SI/IIB (Systems Integrity Division, Information Integrity Branch) 
provides antivirus software and documentation to all bureaus and field posts 
free of charge. The Setup and Installation Procedures Handbook, included with 
the software, answers procedural questions about installation. Contact 
IRM/OPS/ITI/SI/IIB at (202) 203-5172 or visit the Virus Incident Response 
Team Web site for more information. 

b. Employees and contract personnel may obtain antivirus software from their 
domestic bureau or post's systems office for home usage to prevent malicious 
code from migrating to the office environment. Home use of antivirus software 
procured by the Department is only authorized for Department of State 
employees. When employment is terminated, the software must be removed. 
Diplomatic privilege and various host-country custom laws may prohibit locally 
employed staff (LES) or third-country nationals (TCNs) from installing 
Department of State-procured antivirus software on privately owned PCs. Also, 
vendor contracts sometimes require country-custom review. If not prohibited 
by host-country law, copies of antivirus software may be requested for 
FSN/TCN use through the antivirus program. See the Virus Incident Response 
Team's Cables Help Guide Web page. Licensing, reproduction, and distribution 
of antivirus software for domestic and post usage abroad are the responsibility 
of the antivirus program staff, IRM/OPS/ITI/SI/IIB. Information Programs 
Center (IPC) personnel must install and update antivirus software on all 
computers maintained by the IPC (i.e., TEMPEST computers and non-TEMPEST 
classified computers within controlled access areas [CAAs]). 

5 FAH-2 H-862 UNCLASSIFIED SYSTEMS 

(CT:TEL-37; 08-30-2013) 

a. IRM's Antivirus Program Office, Virus Incident Response Team (VIRT), 
automatically updates antivirus definitions to enterprise (i.e., OpenNet and 
ClassNet) machines on a daily basis. Each post/site/bureau is required to have 
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a group update provider (GUP) assigned to properly receive the updated 
signature files. A GUP can be a workstation or a server. 

b. Unclassified, nonnetworked, standalone computers (i.e., not connected to any 
other computer) may be updated by downloading the most current signature 
file from the antivirus website or the software vendor's website on the Internet. 
The signature file should be copied to removable media that contains no 
sensitive information. The local computer hard drive and removable media 
containing the signature files must be scanned prior to use on any other 
Department computer. Scanned removable media may be used to copy the 
signature update files to other unclassified standalone computers. 

c. Unclassified networked computers not connected to OpenNet (i.e., laptops or 
computers on a dedicated Internet network (DIN)), or access to the Internet 
may be updated as stated or automatically from the vendor's website in the 
same manner recommended for home users. At critical technical and/or 
HUMINT threat posts, consult 5 FAH-2 H-863, Classified Systems. 



5 FAH-2 H-863 CLASSIFIED SYSTEMS 

(CT:TEL-37; 08-30-2013) 

Downloading of updated virus signature files from the Internet or Internet-based 
bulletin boards for classified systems is strictly prohibited. Virus signature files 
and software updates for Department-approved antivirus applications must be 
downloaded from the Intranet AV Website link for use on classified systems or for 
unclassified systems at critical technical and/or HUMINT threat posts. File 
transfers to classified systems must be done in accordance with 12 FAM 670. For 
all posts abroad, IRM/OPS/ITI/SI will send original program and updated antivirus 
signature files via classified pouch in the care of the information programs officer 
(IPO), information management officer (IMO), or a cleared U.S. citizen employee. 
Upon use, the Department-supplied AV media must be labeled with the highest 
classification of information processed on the classified system and cannot be 
returned for unclassified use. 



5 FAH-2 H-864 VIRUS INCIDENT REPORTING 

(CT:TEL-37; 08-30-2013) 

If a virus is discovered, send a report via email to mailto:virus2@state.gov and 
VIRUS@state.sgov.gov (classified) and a courtesy copy to the Computer Incident 
Response Team (CIRT) DS/CS/MIRD CIRT at mailto:CIRT@state.gov or 
cirt@state.sgov.gov. The report should include the following: 

(1) Name of virus and occurrences; 

(2) Location of computer/network (bureau, post, or office); 
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(3) Origin of virus infection; 

(4) Infected equipment type (standalone equipment/devices, networked 
equipment/device, or peripheral, e.g., thumb drives, CDs, etc.); 

(5) Type of software used to eradicate the virus: 

(a) Specific application version (e.g., SEP or ScanMail); 

(b) Signature file installed (date and/or sequence number); and 

(c) Scan engine installed (date and/or sequence number); 

(6) Losses incurred (defined as loss of equipment, software, or computer 
system downtime); 

(7) Point of contact for follow-up support; and 

(8) Remarks. 

5 FAH-2 H-865 THROUGH H-869 UNASSIGNED 
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